Year: 2016 (Page 2 of 2)

Canadians, and many people around the world, are increasingly purchasing and using electronic devices meant to capture and record their relative levels of fitness. Contemporary fitness trackers collect a broad range of data, and can include the number of floors climbed, levels and deepness of sleep, how many steps taken and distance travelled over a day, heart rates, and more. All of this data is of interest to the wearers of the devices, to companies interested in mining and selling collected fitness data, to insurance companies, to authorities and courts of law, and even potentially to criminals motivated to steal or access data retained by fitness companies.

Given the potential privacy implications associated with fitness trackers, Andrew Hilts (Open Effect/Citizen Lab), Jeffrey Knockel (University New Mexico/Citizen Lab), and I investigated the kinds of information that are collected by the companies which develop and sell some of the most popular wearable fitness trackers in North America. We were motivated to specifically understand:

Whether data which are technically collected by the wearable devices was noted in the companies’ privacy policies and terms of service and, if so, what protections or assurances individuals had concerning the privacy or security of that data?

If fitness and other collected data was classified as ‘personal’ data by the companies in question?

Whether the information received by the individual matched what a company asserted was ‘personally identifiable information’ in their terms of service or privacy policies.

Data collected by fitness tracking companies did not necessarily match with what can be obtained through an access request.

This research was funded by the Office of the Privacy Commissioner of Canada’s Contributions Program, with additional contributions from the Citizen Lab at the Munk School of Global Affairs, at the University of Toronto. Open Effect has created a webpage dedicated to the report and its impacts.

On October 14, 2015 the Pivot Legal Society in British Columbia filed a complaint with the Office of the Information and Privacy Commissioner (OIPC) of British Columbia concerning the Vancouver Police Department’s (VPD) refusal to disclose any documents concerning the department’s use of IMSI Catchers. IMSI Catchers, also known as Cell Site Simulators or Mobile Device Identifiers, are designed to impersonate cellular telecommunications towers. The devices are used to collect identifiers and potentially content transmitted from mobile phones in the device’s vicinity. In response to Pivot Legal Society’s complain Tamir Israel (from CIPPIC) l and I intervened on behalf of Open Media to argue that VPD ought to be compelled to disclose documents they possessed concerning their use of IMSI Catchers.

Our intervention begins by outlining how IMSI Catchers technically function. Next, we demonstrate how the test for investigative necessity advanced by VPD simply does not apply to responsive records in light of the significant general information regarding IMSI Catcher use. Finally, we argue that even if disclosure of responsive records will, to some degree, undermine the utility of IMSI Catchers as an investigative tool, disclosure must still occur. Confirmation of IMSI Catcher use is a necessary precursor to informed public debate and to the proper legal constraint of an invasive surveillance tool and is therefore in the public interest.

On January 14, 2016, the Ontario Superior Court ruled that “tower dumps” – the mass release of data collected by cellphone towers at the request of law enforcement agencies – violate privacy rights under the Canadian Charter of Rights and Freedoms. In response, Justice Sproat outlined a series of guidelines for authorities to adhere to when requesting tower dump warrants in the future.

I wrote about this case for PEN Canada. I began by summarizing the issue of the case and then proceeded to outline some of the highlights of Justice Sproat’s decision. The conclusion of the article focuses on the limits of that decision: it does not promote statutory reporting of tower dumps and thus Canadians will not learn how often such requests are made; it does not require notifying those affected by tower dumps; it does not mean Canadians will know if data collected in a tower dump is used in a subsequent process against them. Finally, the guidelines are not precedent-setting and so do not represent binding obligations on authorities requesting the relevant production orders.

Last week, Canadians learned that their foreign signals intelligence agency, the Communications Security Establishment (CSE), had improperly shared information with their American, Australian, British, and New Zealand counterparts (collectively referred to as the “Five Eyes”). The exposure was unintentional: Techniques that CSE had developed to de-identify metadata with Canadians’ personal information failed to keep Canadians anonymous when juxtaposed with allies’ re-identification capabilities. Canadians recognize the hazards of such exposures given that lax information-sharing protocols with US agencies which previously contributed to the mistaken rendition and subsequent torture of a Canadian citizen in 2002.

Tamir Israel (of CIPPIC) and I wrote and article for Just Security following these revelations. We focused on the organization’s efforts, and failure, to suppress Canadians’ identity information that is collected as part of CSE’s ongoing intelligence activities and the broader implications of erroneous information sharing. Specifically, we focus on how such sharing can have dire life consequences for those who are inappropriately targeted as a result by Western allies and how such sharing has led to the torture of a Canadian citizen. We conclude by arguing that the collection and sharing of such information raises questions regarding the ongoing viability of the agency’s old-fashioned mandates that bifurcate Canadian and non-Canadian persons’ data in light of the integrated nature of contemporary communications systems and data exchanges with foreign partners.

Parsons, Christopher. (2015). “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” Michael Geist (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa University Press).

Parsons, Christopher. (2015). “Beyond the ATIP: New methods for interrogating state surveillance,” in Jamie Brownlee and Kevin Walby (Eds.), Access to Information and Social Justice (Arbeiter Ring Publishing).

Bennett, Colin, and Parsons, Christopher. (2013). “Privacy and Surveillance: The Multi-Disciplinary Literature on the Capture, Use, and Disclosure of Personal information in Cyberspace” in W. Dutton (Ed.), Oxford Handbook of Internet Studies.

McPhail, Brenda; Parsons, Christopher; Ferenbok, Joseph; Smith, Karen; and Clement, Andrew. (2013). “Identifying Canadians at the Border: ePassports and the 9/11 legacy,” in Canadian Journal of Law and Society 27(3).

Parsons, Christopher; Savirimuthu, Joseph; Wipond, Rob; McArthur, Kevin. (2012). “ANPR: Code and Rhetorics of Compliance,” in European Journal of Law and Technology 3(3).